How Data-centric Security Neutralizes Cyber Breaches

By Phyllis Muscara — April 16, 2015

What do Staples, Kmart, Dairy Queen, Jimmy John’s, PF Chang’s, Goodwill, Sally Beauty Supply, Michaels, and Neiman Marcus all have in common? The answer, credit-card information breaches. It is no longer a question of “if a cyber-breach will happen”, but “when the cyber-breach happens”. In the payment journey, from the point of sale (POS) to processors, there are vulnerabilities to cyber breaches.

According to the 2015 Data Breach Investigations Report by Verizon, brute forcing remote access connections to POS remains a primary intrusion vector. “RAM scraping has grown up in a big way. This type of malware was present in some of the most high-profile retail data breaches of the year, and several new families of RAM scrapers aimed at point-of-sale (POS) systems were discovered in 2014.” From an attack pattern standpoint, the most simplistic narrative is as follows: compromise the POS (point-of-sale) device, install malware to collect magnetic stripe data in process, retrieve data, and cash in. It is becoming increasingly common for data thieves to create and deploy malware specifically designed to compromise POS systems. Credit card data breaches in general, and this type of malware attack specifically, is why data-centric security has emerged as the new imperative for CISO’s globally. For merchants who collect and process PAN (personal account number) data such as credit card data, data-centric security addresses the data breach risk by encrypting the payment card data at the data level, protecting it even before it gets to the POS. This protection might be in the card reader, a reading pin pad, or even inside a reading “sled” or “wedge” attached to the POS. In these cases, if the POS is breached, the data will be rendered of no value to the attacker. When implemented correctly, these data-centric security approaches, delivered through HP SecureData, can dramatically reduce the cost of Payment Card Industry Data Security Standard (PCI DSS) compliance by reducing audit scope. Although it is imperative for merchants and consumer-facing businesses to adhere to PCI DSS standards, PCI compliance does not equal data security. In many of the recent data breach cases, attacked merchants were “PCI compliant” but data thieves were still able to compromise their systems and steal sensitive card-holder data. Emerging new business initiatives, mobile payments, e-commerce, cloud and Big Data projects often bring more systems and applications into PCI scope, as well as more risk.

The key to mitigating these challenges is data-centric security since it is the only way to protect sensitive data and enable business process. Here at HP Security Voltage, we have developed data-centric approaches including HP Format-Preserving Encryption, HP Secure Stateless Tokenization and HP Page-Integrated Encryption to deliver enhanced data security and end-to-end secure commerce. HP Secure Stateless Tokenization is an advanced, patent-pending, proven data security technology that is stateless because it eliminates the token database that is central to other tokenization solutions and removes the need to store cardholder data. Eliminating the token database significantly improves speed, scalability, security and manageability of the tokenization process. The application handling the tokenized data, including back-end applications such as fraud analysis and loyalty programs, may be removed from PCI audit scope.

HP SecureData Web with Page-Integrated Encryption encrypts payment and personal data in browser-based transactions from the moment data is entered into a web browser all the way through the web tier, the application tier, cloud infrastructure, and upstream IT systems and networks to the trusted host destination. This shields sensitive customer data from theft in front-end and intermediate systems, and further reduces audit scope.

With these three technologies, we can create a data-centric security environment that neutralizes the data from cyber breaches. Hackers come in looking for gold and leave with straw – unusable data – thus protecting your business and your customers.